Security Incidents mailing list archives
Re: backdoor or bot?
From: Mark Symonds <mark () SYMONDS NET>
Date: Wed, 27 Dec 2000 23:29:28 -0800
----- Original Message ----- From: "Daniel Wittenberg" <daniel-wittenberg () UIOWA EDU> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, December 27, 2000 9:46 AM Subject: Re: backdoor or bot?
Are there any good tools out there to scan a network for some of these known backdoors/trojans? Preferably something GPL and Linux, but anything known would be nice...
I don't know anything about anything but the following script
might be helpful on a per-box basis (perhaps extended via netcat
or perl/python/somesuch?) ... I named it 'pn', and it is admittedly
written in a pinch:
#!/bin/sh
#
# Simple script that shows you which
# users are running processes that LISTEN,
# and optionally kills them.
#
# The OKu file contains a list of usernames,
# one per line, that are allowed to run such
# processes. Their processes are not affected
# by this program.
#
# A single commandline parameter is accepted:
# 'y' will make it automatically kill the offending
# processes with no further output. 'pn y'. This
# is for crontabbing.
table=`netstat -tanp |grep LISTEN |\
awk '{print $7}' |cut -d '/' -f 1 |uniq`
processes=`ps uh $table |grep -v -f ./OKu |\
awk '{print $2"\t"$1"\t "$11}'`
pids=`ps uh $table |grep -v -f ./OKu |\
awk '{print $2}'`
if [ "$1" = "y" ] || [ "$1" = "Y" ]
then
if [ -n "$processes" ]
then
kill -9 `echo $pids |tr '\n' ' '`;
exit 0;
else
exit 0;
fi
fi
if [ -n "$processes" ]
then
echo -e "\nUserland processes that LISTEN:\n";
echo -e "PID\tUSER\t CMD\n$processes";
echo -n "Kill these processes? [y/n]: ";
read killproc;
if [ "$killproc" = "y" ] || [ "$killproc" = "Y" ]
then
kill -9 `echo $pids |tr '\n' ' '`;
exit 0;
else
echo "No process killed.";
fi
else
echo "No processes detected."
fi
exit 0;
... example OKu file:
mysql
root
www-data
daemon
Does anyone know of an easy way to thwart this?
Surely there are many.
--
Mark
(jr. sysadmin for hire!)
Current thread:
- backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)
- Re: backdoor or bot? Dave Dittrich (Dec 27)
- Re: backdoor or bot? Daniel Wittenberg (Dec 27)
- Re: backdoor or bot? Aviram Jenik (Dec 27)
- Re: backdoor or bot? Mark Symonds (Dec 28)
- Re: backdoor or bot? George Milliken (Dec 28)
- Re: backdoor or bot? Mark Collins (Dec 28)
- <Possible follow-ups>
- Re: backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Patrick Oonk (Dec 28)
- Re: backdoor or bot? Calhoun, Heath (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)